The Stack Overflow Podcast

Who's going to pay to fix open source security?

Episode Summary

We chat about the corruption of color.js and faker.js, open source libraries widely used across GitHub and NPM. We explore some of the organizations trying to find ways to better fund and secure open source software and unpack the possibility that these kinds of disruptions will only become more common in the future.

Episode Notes

Will no one think of the maintainers? As The New Stack points out, watching millions of projects fail because of a bug in an open source library has become common enough that  we shrug and reply, "Told you so." It's gotten so bad, big tech companies are visiting the White House to discuss the issue as a matter of national security.

There is a great post up on the Stack Overflow blog examining  this issue, but it's not about color.js, it's about Log4J.  Traffic to questions on this logging library grew more than 1000% percent after the recent revelations about a new vulnerability. 

Also discussed in this episode: cryptographer and Signal creator Moxie Marlinspike stepped down from his role as CEO of the encrypted messaging service.  That's news, but he actually made bigger waves in tech circles with an unrelated blog post detailing  his first experience with Web3. Spoiler alert: it's not as decentralized or divorced from Web2 as you might have thought.

You can find Cassidy Williams on Twitter and her website.

Ben Popper can be found on Twitter here.

Ryan Donovan can be found on Twitter, or writing for the Stack Overflow blog.

 

Episode Transcription

Cassidy Williams There's all these different attempts at funding open source. But for every person that does offer money in some way, there's going to be 10 people who don't.

[intro music]

Ben Popper Hello everybody. Welcome back to the Stack Overflow Podcast, subzero edition. It is negative five with the wind chill where I am in the Hudson Valley. Cassidy Williams, one of my co-hosts is in the Chicago area. What kind of weather are youlooking at these days, Cassidy?

CW It's actually been weirdly mild, which is probably concerning, because, you know, it shouldn't be.

BP Right. Either it's cold, or it's climate change.

CW Right. [Cassidy laughs] Exactly. We've got a balmy 10 degrees today. Ryan, how about you? What are you looking at?

Ryan Donovan I got a winner at sixteen!

CW Bring out the swimsuits. [Cassidy & Ben laugh]

BP Well, welcome everybody to the Stack Overflow Podcast, a place to talk all things, software and technology. I'm Ben Popper, director of content here at Stack Overflow, joined by Cassidy Williams of Remote and Ryan Donovan, my colleague here at Stack Overflow. Today, we're gonna kick off chatting about a link about open source libraries that got corrupted. And then more generally, a topic we've touched on a lot, which is the degree to which you know, everybody relies on certain open source projects or libraries, and, you know, what it means to maintain those. So Cassidy, can you talk to me a little bit about what happened here? Just sort of set the scene? 

CW Yeah. And so in the open source world, right now, there's a bit of chaos where there's these these two JavaScript libraries Faker JS and Solors JS, which they're kind of basic utilities, but a lot of people use them, a lot of people use them and their dependencies for a lot of libraries. And I think because they have been corrupted by the developer who's using them. There's a lot of questions right now about paying open source developers having really set versions so that way, these corrupted libraries don't affect your code bases, and kind of just security around all that and how open source maintainers are treated. And it's definitely a topic that has been talked about a lot in general. And it's very reminiscent of Left Pad many, many years ago, for anyone who's doing web development back at that point where there was a JavaScript library called Left Pad where the developer deleted it suddenly, and everything broke around the internet that was using this library. And thus, various technologies were born like yarn to try to protect from things like that. And the topic is back up again, about what do people do when the people who are pretty much working for free, decide they don't want to work for free anymore?

BP Yeah, I think Cassidy, you brought this up earlier, and I thought it was a good point, you know, we want to be respectful of the person who made these changes. The reason they made them, we're not going to sort of like villainize them or make guesses about that. But you have to get to a certain point where, you know, you have a certain reputation as a maintainer and you're able to make these changes without really getting permission from anybody? Or is it literally anybody can go in and make these kinds of changes. When we're talking about libraries like this?

CW If you're a maintainer, you can do whatever you want, that happens all the time. If you're a maintainer, you get to do it, you get to do whatever you want. But if there's like a group of board a list of collaborators, it depends on how your open source organization is run, there's pretty much always some central core group of people or a person who gets to say what.

BP Right, so like, how many maintainers are within, you know, a popular set of libraries like this, like how many people get to make these kinds of moves?

CW You know, it varies. Some of these libraries are definitely much more much more organized than others like if you were to look at Vue JS for example, that is entirely human run community run it it's not owned by a company or anything they do have sponsorships and stuff but there's like Evan Nue who created view, but Evan is not always the be all end all for all decisions because the he has quite the organization around him around Vue js maintaining it. I don't know if it's the same for Colors JS or for Faker JS.

RD So just looking at the NPM for Faker, there is one maintainer?

CW Yeah, and for Colors JS, it's under this one maintainer's, this one maintainer is GitHub, but it's used by 4.3 million people.

BP Not a good ratio. Yeah, a different kind of than Twitter but not a good ratio. So yeah, that makes sense. Well, I guess the blockchain solves this, right. You build in incentives, and you use your stake in the network to vote and then you don't have to worry about this kind of thing. No, I'm just kidding. 

RD You have the same problem. because there's one person who has stake in the network, there's one person who's contributing, they get to do whatever they want.

CW This was a topic that was brought up a lot back when I was working at React training in 2019, 2020. Because we would teach React workshops all over the place. But we also maintained React Router, which is also used by millions of people. And it's the most popular routing solution for React. And the two founders of React Training, now Remix, are the creators of React router, and they weren't paid anything worthwhile to maintain it. They're just like, well, we kind of just have to, and it sucks, because we get no income from the strict ganttic thing. And it's great because it does give them clout. In the developer community, it has gotten them very involved. They've learned a lot from it. They've met so many cool people, but that doesn't pay the rent.

RD Yeah, clout and 10 bucks can get you a sandwich.

BP Okay, now I'm not being facetious, before I was being facetious, but now I'm not. So this is I do think the one thing that a lot of these blockchain web3 things get right, is that from the beginning, you build in a financial incentive to participate. So if you were to say, look, I'm going to create a new open source project. And I want to make sure as many people get to use it as possible, but because it's going to be, you know, like sort of transparent and recorded in some way, so I know when folks are using it, and we're going to set up a licensing so that anybody who uses it more than 1000 times a month or whatever the scale is, that implies you're a serious operator, you know, then you're going to pay into this fund and that fund will be used to renumerate all the people who are maintainers are creators. Like that is sort of the missing link. Right, Ryan, we wrote a blog about this?

RD I mean, I think the blog post we published about it was about there are ways to you know, compensate folks, whether it's Patreon, whether it's big companies contributing source code, or whether they have kind of Open Source Plus business models, where you're paying for, you know, a compiled package and support. But I think for you know, small, small things like this, like, people are using it, but there's no guardrails on it.

BP I mean, Cassidy, you tell me anything add like, right, as you were saying, like, with your earlier react project, or this one, you know, right, when you get to the scale of several million people are relying on it. That's the point where you would love a system that says, okay, each of these folks who's using it as a dependency pay 10 cents a month. And that at that scale of 3 million people means, you know, we can fund a full time maintainer, or whatever it is, right?

CW Yeah. But then there will be an alternative that doesn't cost money. Like, people don't want to spend money. That's the core of it. And I'll use the Remix folks as an example again. So for a little bit of context, I worked for them at React training. And because it was fully traveling company in the pandemic, that doesn't go so well. And so they had to lay off all staff. And so that is why I ended up leaving, and they decided to create the Remix framework. After that in the pandemic, to be just like, let's build this framework we've always wanted to make, and at first, it was a paid framework, you could use it, if you paid for a license, they had open collective stuff set up so you could donate, they had a community and it was like a lifetime license. And then also like corporate licenses, they had a very good system set up. But they gained almost zero traction by having a license. And then the moment that they decided, okay, we're actually going to raise money from VCs, and go open source completely, and it's free to use, their popularity has been skyrocketing as a result, that's just--

BP Even that little bit of friction of like, we're gonna charge you 10 cents a month. But that means you have to accept this license. And, you know, authen with your wallet here is what makes the difference between widely adopted and not.

CW Yeah, exactly. People don't want to spend money on the internet, if they don't have to.

RD Even people making money on the software big companies just want right, you know, the easy open source.

BP So this is like a failure of the commons. This is like a Don't Look Up situation where like, we're just every six months, we're gonna have, you know, an open source disaster like this, and we just, it's, it's par for the course because like, as people, we can't, we don't really operate any other way. Is that what you're telling me? Like, there's no solution here? I don't mind. You know, I don't know. 

RD I mean, I would wager so, like, if you're relying on, you know, people's goodwill, to support, you know, foundational things for the Internet and projects on the internet, like, at some point, somebody's gonna get mad or decide to leave the project or have personal issues and your dependencies screwed.

CW Right. And there are quite a few companies and startups and stuff out there trying to solve this. I think it's just one of those things where there's no standards for it yet. It's like that XKCD comic where everyone's like, man, there's six different ways to do this, we need to fix this. There are now seven different standards. Open Collective is trying to solve it. I was just talking to Floss Bank recently who are trying to solve it like there. There's all He's different attempts at funding open source. But for every person that does offer money in some way, there's going to be 10 people who don't.

RD Places like NPM kind of created the utopia of being able to access, you know, any open source project at any time. But like you said, who's gonna pay for it? 

BP So this is really more about developer education and just being like, look, you know, know that when you're using NPM, this may happen to you, here's how you respond quickly to get back to a working state?

RD I think NPM automatically updates. Is that right? 

CW Yeah. And it automatically updates, but you can, you can have like a lock file in your code bases. And then there's, people have already made forks of old versions and stuff. And so there's a lot of options, there's to protect yourself, I think, a big part of getting a lot of these open source libraries paid. And something that I think would be, is probably the direction that needs to go. But I'm not going to solve any of the world's problems on this podcast. 

RD Oh, come on.

BP You gotta at least try.

CW I try and but I just need everybody to listen to me, because I'm right about everything. I think companies just need to pay open source maintainers, because there are plenty of individuals who use all these libraries. And a lot of times, it's for hobby projects, or because they're experimenting and stuff. But companies that are relying on these projects for their infrastructure that like if it were to go down, profits would go down, they're the ones who should be paying these maintainers. 

BP I mean, that's really the rub, I think you're saying before, like, yeah, get traction and get to scale by offering it for free. But when an organization that has its finances on the line starts using it, that's when they need to pay in. So that's kind of the mechanism that needs to be built to make that easier and transparent and simple for the maintainers to ask, and for those companies to pay in that that kind of makes sense to me. 

RD You know, whether you set it by number of people in the organization or amount of yearly income, it's still self reported. And somebody's gonna be like, well, I'm going to tell them something else. And I'm going to have this dependency in there for free.

BP I guess people also get a little salty sometimes when corporations tried to sort of own the governance or get very involved, and people sort of get salty about that part of it, cuts both ways. 

[music]

BP Tired of overpaying for cloud infrastructure? Try Vultr instead. Vultr offers up powerful cloud compute and simplified instance management at a fraction of the cost of the other guys. Visit vultr.com/stack to redeem $100 in credit today. Okay, I thought this was very interesting. 

[music]

BP I know we promised not to talk all about crypto but Moxie Marlinspike, the founder and CEO of Signal is stepping down as the CEO. Signal something that was super important when I was in the world of journalism was super important to activists. And it's kind of on the one far edge of the spectrum in terms of supporting total end to end encryption, which can be a good thing and a bad thing, depending on who's using it and puts them into conflict sometimes with governments and law enforcement. But I think is typically very popular among developers and programmers and cryptographers who tend to favor you know, sort of full personal privacy. But in our like, sort of ongoing discussion of decentralized versus centralized Marlinspike as a cryptographer, and decided to play around with web three, make some NFTs, made some kind of interesting ones, we'll include it in the show notes. But the super interesting thing, I guess, that I got out of this was that so much of the activity that's happening where people are saying, This is amazing, you know, we're a DAO, we're a self governing organization, we own this, it's on the blockchain, nobody can control us. And we're giving these NF T's to you, and nobody else can own them, actually just like runs through three or four centralized infrastructure providers, because otherwise it wouldn't be as simple as opening an app wallet and handing somebody an NFT. And when you get down to it, like what you believe is, you know, this sort of like immutable decentralized activity happening on the blockchain, it's really just an API call to a centralized platform that you are trusting whether you know it or not. So I thought that was kind of a fascinating post, and kind of put a lot of things in perspective for me.

RD It's interesting, I read a really interesting Twitter thread yesterday, and I didn't want to share it because I didn't want this become the, you know, the crypto Olympics, but it was sort of talking about what an NFT really is. And it's just the token. For it to be usable, there has to be infrastructure built up around it. It's just like a pointer to a JPEG or to some some, you know, a gun in the game. And to use that somebody has to build something around it. 

BP At this point, there are basically two companies almost all daps decentralized apps use either infura or alchemy in order to interact with the blockchain. In fact, even when you connect a while like Metamask to adapt and the DAP and drag to the blockchain of your wallet meta mask is just making calls these client API's are not using anything to verify blockchain state or the authenticity of responses. The results aren't even sign an app like Autonomous Archer says, hey, what's the output of this view function on this smart contract? Alchemy earn fair responds with a JSON blob that says this is the output and the app renders it. So it's kind of like, you may think, you know, you've left behind the centralized Internet, and you're on web three. But really, there's a web wrapper and an API wrapper that's making all of this feel seamless and approachable to you. And which means you're not really interacting directly with the blockchain, whatever that may be.

CW I think that one of these providers have forget which one actually went down somewhat recently, because of like an AWS outage or something like that. And people were just like, wasn't this the whole point? So it's still early days.

RD Yeah.

BP If an AWS outage can take down the API calls that power, my ability to interact with the blockchain, what have I really gained? Except I'm getting to pay I have the privilege of paying $100 per transaction, which is nice.

CW Yeah. Lucky you.

BP Lucky me.

RD Also the thread was talking about, you know, we already have an infrastructure that works pretty well for these sort of things. Like, you're not getting anything extra by having on the blockchain yet, right? And I'll say, Yeah, because, you know, at some point, we may have killer use cases that make NFTs the thing that you need for all your digital items. But right now, it's just a token at a video game parlor. And if the video game parlor closes down, you have a piece of metal. 

CW I think for just as a last note on this article, on thing that I thought was interesting was that they made an NFT that changes based on who's looking at it. And they were just like, oh, this might be kind of interesting, where it looks like, Starburst type of thing on OpenSea, and then on Reparable, it's kind of just like, sound waves or something. And then if it's just in a wallet, it looks like the poop emoji. Somehow, it was just removed from OpenSea, OpenSea was just like, No, you can't do this. But then it was removed from his wallet. Yeah. And suddenly, it was this whole thing and was just like, so this, this isn't decentralized. This is just you guys are controlling things. 

BP Yeah, Chris Dixon was trying to troll web2 and say, oh, you know, Instagram took away the meta handle from so and so that's why we're web3. But OpenSea is just recreating all those problems, right? They don't want to be trolled either. So.

CW There's so many things where I've genuinely tried to understand it. And there's I think it's just such early days that it's it's hard to not just be skeptical, because in its current state, so many things are broken.

RD I mean, don't get me wrong. It sounds like a fascinating technology is fascinating. No, I love decentralization, but how do you get there?

CW Git was decentralized. And then there was GitHub. And I mean, it GitHub has generally been a good thing, people have a central place to put a bunch of their code and distribute a lot of their code. There's a lot of software that's been decentralized, and then centralized, because people do like having a hub for things. So this concept isn't new. It's just the way we're going about it is different in the way where both demonizing and worshipping it is different too.

BP Alright, well, one quick shout out, we launched Collectives last year on Stack Overflow. And that sort of is a place where we'll organize a whole bunch of questions by tags. So if you want to talk about stuff related to GoLang, for example, you can go to the Go Lang collective. And the nice thing about being there, aside from being just asking a question randomly on the broader Stack Overflow Stack Exchange Network is that folks who are actually working on GoLang and part of the core team hang out there and will help to answer questions, or they'll put a stamp of approval on something and say, this is the best answer. And there's also recognized members, so folks in the community have tributed a ton to answering questions and submitting stuff about GoLang sort of get, you know, a little bit of status there. And that enables you to sort of trust them, and you know, they're contributing. So we asked, we enabled people there to write articles, and there's a bit of push and pull with the community about the best way to do that. So yesterday, we released a proposal for sort of article submissions, and how people will do that. So it's pretty interesting because like, for the first time ever, we're trying on Stack Overflow to allow people to do something besides Q&A, you know, to write a how to best practices to explain why a certain project was built a certain way. And so there's now sort of a speaking of open source and distributed governance, a proposal out there for how people can submit articles to the admins and recognize members get it sort of approved as being you know, a value to this collective and then from there, they can go ahead and publish and share that with everybody. So if you're interested in collectives, or just sort of working on StackOverflow go check it out. I think Articles have a lot of potential so, excited to see that that change happen.

BP Alright, everybody, it is that time of the show. I will shout out the winner of a lifeboat badge. Let's shout out a lifeboat awarded yesterday to KNelson59406. "How to deploy spring five dot exe on Tomcat 10.x A spring MVC Hello World application running on Tomcat." Well, if that means something to you and you're interested, check it out in the show notes.

CW I don't think I've used Tomcat since college. This is, woof, that took me back there for a second.

BP Cool. All right, everybody. I am Ben Popper. I'm the director of content here at Stack Overflow. You can always find me on Twitter @BenPopper, email us podcast@stackoverflow. And if you enjoy the show, leave us a rating and review, really helps.

RD I'm Ryan Donovan. I edit the blog here at Stack Overflow. You can find me on Twitter @RThorDonovan. And if you have a great idea for a blog post please email us at pitches@stackoverflow.com.

CW I'm Cassidy, I am at Remote, not just like remote work, remote.com. Ha ha!

RD Aye!

CW And you can find me @cassidoo on most things.

BP Alright everybody. Thanks for listening and we will talk to you soon.

CW Bye!

[outro music]